<%@ page language="java"%>
<%@ page import="java.sql.*"%>
<%@ page import="java.util.*"%>
<%@ page import="java.io.*"%>
<html>
<head><title>Change Screen</title>
</head>
<body>
<center>
<%
	class XSSchecker
	{
		public String sanitize(String string) 
		{
			string.replaceAll("(?i)<script.*?>.*?</script.*?>", "");   	
			string.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); 
			string.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", "");
			return string;
		}
	};

       try
       {
		XSSchecker checker = new XSSchecker();

		if(session.getAttribute("logged_in") == "true")
		{
			out.println("<p><h2>Logged In</p><h2>");
			if(session.getAttribute("user_level") == "administrator")
			{
				if(checker.sanitize(request.getParameter("id")) == "")
				{
					out.println("You must select a screen<br>");
				}
				else
				{
					out.println("<br>You selected screen id: " + checker.sanitize(request.getParameter("id")) + "<br><br>");

					out.println("The presentations currently on this screen are:<br>");	

					// update the database
					String DRIVER = "com.mysql.jdbc.Driver";
					Class.forName(DRIVER);
					Connection con=null;
					ResultSet rst=null;
	
					String url="jdbc:mysql://ecstiger.cs.andrews.edu/d562_2010_01?user=u562_2010_01&password=YPJ8f4We";
					con=DriverManager.getConnection(url);	

					PreparedStatement stmt = con.prepareStatement("SELECT presentation.id, presentation.file_name, user.username FROM screen, screen_presentations, presentation, user WHERE screen.id = screen_presentations.screen_id AND screen_presentations.presentation_id = presentation.id AND user.id = presentation.user_id AND screen.id = ? ;");
					stmt.setString(1, checker.sanitize((String)request.getParameter("id")));
					rst = stmt.executeQuery();

					out.println("<TABLE border=1><tr><th>Id</th><th>Presentation Name</th><th>Username</th><th></th></tr>");

					while(rst.next())
					{
						out.println("<tr><th>" + rst.getInt(1) + "</th><th>" + rst.getString(2) + "</th><th>" + rst.getString(3) + "</th><th><form method=POST action=change_screen_delete_exec.jsp><input type=hidden name=presentation_id value=" + rst.getInt(1) + "><input type=hidden name=screen_id value=" + checker.sanitize(request.getParameter("id")) + "><input type=SUBMIT value=Delete></form></th></tr>");	
					}	
					out.println("</TABLE>");

					out.println("<br><br>");
					
					stmt = con.prepareStatement("SELECT * FROM `presentation` WHERE allowed=1");
					rst = stmt.executeQuery();

					out.println("The presentations that can be added to this screen are:<br>");

					out.println("<TABLE border=1><tr><th>Id</th><th>Presentation Name</th><th></th></tr>");
					while(rst.next())
					{
						out.println("<tr><th>" + rst.getInt(1) + "</th><th>" + rst.getString(3) + "</th><th><form method=POST action=change_screen_add_exec.jsp><input type=hidden name=screen_id value=" + checker.sanitize(request.getParameter("id")) + "><input type=hidden name=presentation_id value=" + rst.getInt(1) + "><input type=SUBMIT value=Add></form></th></tr>");	
					}
					out.println("</TABLE>");
				
					out.println("<br><br>Only presentations that have been approved will show up here.<br>");

					rst.close();
					stmt.close();
					con.close();
				}
			}
			else
			{
				if(checker.sanitize(request.getParameter("id")) == "")
				{
					out.println("You must select a screen<br>");
				}
				else
				{
					out.println("<br>You selected screen id: " + checker.sanitize(request.getParameter("id")) + "<br><br>");
					out.println("The presentations that you own that are currently on this screen are:<br><br>");

					// update the database
					String DRIVER = "com.mysql.jdbc.Driver";
					Class.forName(DRIVER);
					Connection con=null;
					ResultSet rst=null;

					String url="jdbc:mysql://ecstiger.cs.andrews.edu/d562_2010_01?user=u562_2010_01&password=YPJ8f4We";
					con=DriverManager.getConnection(url);	

					PreparedStatement stmt = con.prepareStatement("SELECT presentation.id, presentation.file_name, user.username FROM screen, screen_presentations, presentation, user WHERE screen.id = screen_presentations.screen_id AND screen_presentations.presentation_id = presentation.id AND user.id = presentation.user_id AND screen.id = ? AND user.id = ? ;");
					stmt.setString(1, checker.sanitize((String)request.getParameter("id")));
					stmt.setString(2, (String)session.getAttribute("id"));				
					rst = stmt.executeQuery();

					out.println("The presentations currently on this screen are:<br>");	
					out.println("<TABLE border=1><tr><th>Id</th><th>Presentation Name</th><th>Username</th><th></th></tr>");
					while(rst.next())	
					{
						out.println("<tr><th>" + rst.getInt(1) + "</th><th>" + rst.getString(2) + "</th><th>" + rst.getString(3) + "</th><th><form method=POST action=change_screen_delete_exec.jsp><input type=hidden name=presentation_id value=" + rst.getInt(1) + "><input type=hidden name=screen_id value=" + checker.sanitize(request.getParameter("id")) + "><input type=SUBMIT value=Delete></form></th></tr>");	
					}
					out.println("</TABLE>");

					out.println("<br><br>");
		
					out.println("Add Presentation To This Screen:<br>");

					stmt = con.prepareStatement("SELECT * FROM presentation WHERE allowed=1 AND user_id= ? ");
					stmt.setString(1, (String)session.getAttribute("id"));				
					rst = stmt.executeQuery();

					out.println("The presentations that can be added to this screen are:<br>");
	
					out.println("<TABLE border=1><tr><th>Id</th><th>Presentation Name</th><th></th></tr>");

					while(rst.next())
					{
						out.println("<tr><th>" + rst.getInt(1) + "</th><th>" + rst.getString(3) + "</th><th><form method=POST action=change_screen_add_exec.jsp><input type=hidden name=screen_id value=" + checker.sanitize(request.getParameter("id")) + "><input type=hidden name=presentation_id value=" + rst.getInt(1) + "><input type=SUBMIT value=Add></form></th></tr>");	
					}
					out.println("</TABLE>");

					out.println("<br><br>Only presentations that have been approved will show up here.<br>");
	
					rst.close();
					stmt.close();
					con.close();
				}	
			}
		}
		else
		{
			out.println("Not Logged In");
		}
       }
       catch(Exception e)
       {
           out.println(e);
       }	
%>
<br><a href="menu.jsp">Main Menu</a>
</center>
</body>
</table>
</center>
</div>


</body>
</html>
